beautypg.com

Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

Page 324

background image

306

Multi-Service IronWare Security Configuration Guide

53-1003035-02

Configuring 802.1x port security

8

If the Tunnel-Type or the Tunnel-Medium-Type attributes in the Access-Accept message do have
the values specified above, but there is no value specified for the Tunnel-Private-Group-ID
attribute, the client will not become authorized.

When the device receives the value specified for the Tunnel-Private-Group-ID attribute, it
checks whether the vlan-name string matches the name of a VLAN configured on the device. If
there is a VLAN on the device whose name matches the vlan-name, then the client’s port is
placed in the VLAN whose ID corresponds to the VLAN name.

If the vlan-name string does not match the name of a VLAN, the device checks whether the
string, when converted to a number, matches the ID of a VLAN configured on the device. If it
does, then the client’s port is placed in the VLAN with that ID.

If the vlan-name string does not match either the name or the ID of a VLAN configured on the
device, then the client will not become authorized.

The show interface command displays the VLAN to which an 802.1x-enabled port has been
dynamically assigned, as well as the port from which it was moved (that is, the port’s default VLAN).
Refer to

“Displaying dynamically assigned VLAN information”

for sample output indicating the

port’s dynamically assigned VLAN.

Considerations for dynamic VLAN assignment in an
802.1x multiple client configuration

The following considerations apply when a client in a 802.1x multiple client configuration is
successfully authenticated, and the RADIUS Access-Accept message specifies a VLAN for the port:

If the port is not already a member of a RADIUS-specified VLAN, and the RADIUS Access-Accept
message specifies the name or ID of a valid VLAN on the device, then the port is placed in that
VLAN.

If the port is already a member of a RADIUS-specified VLAN, and the RADIUS Access-Accept
message specifies the name or ID of a different VLAN, then it is considered an authentication
failure. The port’s VLAN membership is not changed.

If the port is already a member of a RADIUS-specified VLAN, and the RADIUS Access-Accept
message specifies the name or ID of that same VLAN, then traffic from the client is forwarded
normally.

If the RADIUS Access-Accept message specifies the name or ID of a VLAN that does not exist
on the device, then it is considered an authentication failure.

If the RADIUS Access-Accept message does not contain any VLAN information, the client’s
dot1x-mac-session is set to “access-is-allowed”. If the port is already in a RADIUS-specified
VLAN, it remains in that VLAN.

Disabling and enabling strict security mode for
dynamic filter assignment

By default, 802.1x dynamic filter assignment operates in strict security mode. When strict security
mode is enabled, 802.1x authentication for a port fails if the Filter-ID attribute contains invalid
information, or if insufficient system resources are available to implement the per-user IP ACLs or
MAC address filters specified in the Vendor-Specific attribute.

See also other documents in the category Brocade Computer Accessories: